The interpreter engine for the core JavaScript language, independent of the browser's object model. File ONLY core JavaScript language bugs in this category. For bugs involving browser objects such as "window" and "document", use the "DOM" component. For bugs involving calls between JavaScript and C++, use the "XPConnect" component.

For bug 1237504 we want to have reserved slots on proxies. When bz and I were talking about that yesterday, I realized we could get a very easy perf win right now by allocating ProxyValueArray inline in the object. This eliminates a malloc for each non-nursery allocated proxy/wrapper and improves cache locality.
This patch still keeps the ProxyValueArray* pointer. We could remove it now and get rid of the dereference, but since we have JIT code and friend APIs poking at these values it seemed better to do that separately.

To support JSObject::swap, I wonder if we should keep the ProxyValueArray* pointer and make it so that it points either into the object itself (the common case) or to malloc'd data (when swapping with a smaller native object).
Then bug 1237504 could make the number of Values in ProxyValueArray dynamic (have it depend on the Class).
I think that would work but it's pretty unfortunate that we can't always store these slots inline...

This version still allocates ProxyValueArray inline, but JSObject::swap now uses malloc when the object sizes don't match. It seems to work locally: unlike the previous version, a debug build can load Gmail without crashing.
So we can't remove the ProxyValueArray* pointer, but we still eliminate a malloc call for 99% of proxies.
Unfortunately there's an infra issue so Try will have to wait.

Here we go. This version looks green on Try so far.
I added some logging and this should eliminate about 20,000 mallocs when starting Firefox. I also checked Dromaeo and there we're talking millions (many non-Nursery-allocated DOM proxies) so hopefully we'll see a perf win there.